EAP-TLS possible problem

Hi everyone, were using EAP-TLS for wlan security. we got hundreds of wlan users, what will happen if the client certificate expires? what can we do avoid it?
thanks

Hi,
there is an option under the certificate template configuration, that renews client certificates when they expire.
See point 15 under "Create the Certificate Template for the ACS Web Server" on this link:
http://www.cisco.com/en/US/partner/products/ps6366/products_configuration_example09186a00807917a6.shtml
Hope this helps!

Similar Messages

  • EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

    We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
    This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
    Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
    Can anybody help me with this problem?

    Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
    The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
    But I have investigated a little bit in the net and found this useful site:
    http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
    1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
    a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
    b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
    c. Use ping to verify router-to-server reachability.
    d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
    e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
    f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
    2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
    Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon.

  • ACS 4.2 and EAP-TLS with AD and prefix problem

    Hi there
    we have the following situation:
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
    First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
    Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
    This is the normal output of the Remote Agent, it finds the host but then nothing happens:
    CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
    CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
    CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
    CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
    So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
    test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
    CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
    CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
    Could this be the problem or does someone see any other problem?
    Best Regards
    Dominic

    Hi Colin
    thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
    I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
    Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
    Regards
    Dominic

  • EAP-TLS and MS AD auth problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

  • ISE problem with EAP-TLS Supplicant Provisioning

    Hi All,
    I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
    The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
    The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
    Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
    Cheers,
    Richard
    PS - Also using WinSPWizard 1.0.0.28

    Hi Richard,
    This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
    Istvan Segyik
    Systems Engineer
    Global Virtual Engineering
    WW Partner Organization
    Cisco Systems, Inc
    Email: [email protected]
    Work: +36 1 2254604
    Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • EAP-TLS problems with Cisco AP541N and Server 2008 NPS

    Hi,
    I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
    I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
    Oct 18 15:42:58
    info
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
    Oct 18 15:42:58
    warn
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
    Oct 18 15:42:58
    info
    hostapd
    The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
    NPS logs this:
    Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
    Netzwerkrichtlinienname: XXXXXX
    Authentifizierungsanbieter: Windows
    Authentifizierungsserver: XXXXX
    Authentifizierungstyp: EAP
    EAP-Typ: -
    Kontositzungs-ID: -
    Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode: 22
    Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
    I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
    I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
    Did anybody encounter something like this before? Or just knows what to do?
    Thanks in advance
    Lenni

    Joe:
    Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
    EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
    PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
    for PEAP-MSCHAPv2, Your options are:
    - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
    - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
    - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
    You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

    I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
    If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

    A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

  • ACS 3.3 for windows - Win AD and eap-tls problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    Hi,
    This is what is interesting,
    AuthenProcessResponse: process response for 'phd' against Windows Database
    Unknown User 'phd' was not authenticated
    Done RQ1027, client 50, status -2125
    The field that is being picked from certificate has the value 'phd', check you check which field is it.
    And was the logging at full?, I think something is missing in the logs.
    Lets do a sanity check, and go through following link again,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
    Regards,
    Prem

  • EAP-TLS machine authentication problems

    Well..
    I have the following devices:
    WCS
    Wlan controller 4402
    AP 1130 LWAPP
    Workstation XP sp2
    Secure ACS 4.0
    Windows CA
    Windows AD
    Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
    Which clarifications do I have to do in ACS and AD?
    Can someone help me and give me very detailed instructions on how to make it work.

    Hi,
    We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
    Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

  • Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

    In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
    on this computer" and un-checked "Use simple certificate selection".
    My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
    client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
    drop down.
    Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
    TIA,
    -Rick

    Hi Rick,
    Thank you for your patience.
    According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
    know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
    Best regards,
    Steven Song
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Wired EAP-TLS Problems

    I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
    My current setup is:
    FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
    Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
    Laptop - OpenSUSE 10.2
    I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
    "select * from nas" (comma seperated to make it easier):
    id,nasname,shortname,type,ports,secret,community,description
    1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
    wpa_supplicant.conf on laptop:
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    ap_scan=0
    network={
    key_mgmt=IEEE8021X
    identity="SUSE Laptop"
    eapol_flags=0
    eap=TLS
    ca_cert="/home/evosys/Documents/cacert.pem"
    client_cert="/home/evosys/Documents/suse_cert.pem"
    private_key="/home/evosys/Documents/suse_key.pem"
    private_key_passwd="<password>"
    Outputs of the radiusd and wpa_supplicant are attached...

    Based on this:
    TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
    Shelly

  • 8021.x EAP-TLS "User" vs "System" profile problems

    Hello. I have a macbook using EAP-TLS (wired) with digital certificate authentication. Finally, it's working but I have the following workarounds/questions.
    1. I have had to set the Username field to "HOST/<machine FQDN>". Other systems (ie: Windows) prepend "HOST/" automatically. Is this a known limitation or is there something I can/should do to have OS/X pull out the certificate identity and put it in as "host/identity" in response to the Identity EAP request?
    2. This works fine for USER profiles, but I cannot get a SYSTEM profile to work. When I setup a SYSTEM profile, it screws with the keychain (my root CA has to be explicitly trusted, and the SYSTEM profile only turns on Trust for eapolclient), and the auth fails. There's not enough logging detail (LogLevel=1 only gives you a network trace...) to see what's going on, so I'll ask the experts here - what's going on?
    I concede that I have played around with System profiles quite a bit, so maybe I need to delete the system profile and restart but I don't know how to do that.
    Thanks!

    Assuming you're using the stock XP wifi client.
    When running XPSP3, you need to set two things:
    1) force one registry setting.
    According to
    http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
    You need to force usage of machine cert-store certificate:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "AuthMode"=dword:00000002
    2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
    - show available wireless networks
    - change advanced settings
    - wireless networks tab
    - select your SSID, and then hit the "properties" button
    - select authentication tab, and then hit "properties" button
    - search for your signing CA, and check the box.
    I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
    Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
    please cross reference to
    https://supportforums.cisco.com/message/3280232
    for a better description of the whole setup.
    Ivan

  • Wired 802.1x EAP-TLS Server Certificate Problem

    I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
    If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
    11:48:53.088 Validating the server.
    11:48:53.088 Server list is empty, trusted server can not be validated.
    11:48:53.088 Server list is empty, trusted server can not be validated.
    11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
    11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
    11:48:54.776 The authentication process has failed.
    If I look at the Auth log on ACS (set to full logging) it states:
    AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
    AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
    If I configure the client to not check the servers certificate it all works ok.
    Can anyone tell me why my server certificate is getting rejected?
    Thanks,
    Paul

    If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

  • ISE - EAP-TLS and then webAuth?

    Hello everyone!
    I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
    Hardware:
    Cisco ISE VM running 1.1.3.124
    WLC 5508 running 7.4.100.0
    AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
    iPod Touch version 6.1.3(10B329)
    Senario:
    •- User Authenticates to SSID that is 802.1x WPA2 AES,
    •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
    •- User open’s their browser
    •- WLC redirects them to ISE CWA
    •- User provides credentials on the portal
    •- User to CoA’d to full access network
    Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
    I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
    Thank you in advance!
    Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
    I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

Maybe you are looking for

  • Need procedure to change ip address on private interconnect in 11.2.0.3

    Could someone please send me the procedure to change the ip address of the private interconnect in 11gr2 rac (11.2.0.3) The interconnect has been configured using the default HAIP resource during installation of a 2 node cluster on the aix 6.1 platfo

  • Safari's "Email this page" keyboard shortcut opens second Mail.app

    Hello, First of all, neither the Safari toolbar button nor the File > Share > Email this page work at all. Both do nothing. Quitting Safari & Mail has no effect. HOWEVER The keyboard shortcut (command + shift + I) does work, but it opens another inst

  • Several key figures in one colume in P&L report

    Hello! Please, say me about decision of my problem: I hame hierarchy 0GL_ACCOUNT in P&L report, key figure is 0Balance. Items of P&L connected with one or more accounts. But for several accounts I need new key figure (not 0Balance), which calculated

  • Acces key problem in Mobile web application

    Hi experts, I am just trying a mobile web application according to the link given below: /people/john.moy3/blog/2010/11/21/build-your-first-mobile-web-app-using-jquery-mobile-and-abap--part-2 tutorial by John Moy. While reimplementing the controller

  • Cannot Login to iBook G4 OS 10.4.7

    My iBook G4's battery is being replaced, and it was without power for over 10 hours. Now when I boot, the login screen does not accept my password. How do I solve this problem, as I cannot "get into" my computer? Thanks, Mike